[squid-users] Use arp and time acls to control access

[Amos Jeffries]

On 11/05/2016 12:53 a.m., TarotApprentice wrote:
> I'm trying to restrict internet access of certain devices to certain
> times of the day. My config looks like: acl devicename1 arp
> aa:bb:cc:dd:ee:ffacl devicename2 arp aa:bb:cc:ff:ee:ddacl usertime
> time MTWHF 06:30-08:00acl usertime time MTWHF 18:00-22:30 http_access
> allow devicename1 usertimehttp_access allow devicename2
> usertimehttp_access deny devicename
> I'm using squid 3.5.17 (the
> latest in Debian Stretch). The client devices are using the proxy in
> explicit mode. devicename1 and devicename2 currently are getting
> dynamic IP's but I can set the router up to give a static IPv4
> address and use that instead of the mac address.
> From reading the
> docs it seems arp (the mac address) isn't available if they use
> IPv6.

Correct. Sort of. ARP does not exist in IPv6, but EUI does.

If your network uses SLAAC or DHCPv6 assignments based on the MAC /
EUI-64 then Squid can grab the EUI from the IPv6 address. The arp ACL
uses that for v6 clients when available.

Otherwise you will need static DHCPv6 assignments and src ACL.


> Also if they're using an https site it isn't going to work unless I
> start peeking.

Neither time nor arp types depend on TLS. So the ACLs should work okay
for what they do - just not ideal for what you want to achieve.

HTTPS without bumping just means that your ability to reject is at the
connection/tunnel level rather than individual requests. At present it
should be a reasonable approximation as most browsers dont send many
requests through before closing. That will change as HTTP/2 rollout
increases, since it is designed to maximize connection re-use.



> Is there a better way of restricting the access to the
> allowed times for both http and https traffic?

Not without bumping to get at the individual HTTPS requests.

Amos